Dear J2O,

I am letting you know theese crashes occuring are not me for proof take an eye on my ip : 72.139.36.204
So if your gonna blame me prove it cuz its not me.

How can we know you don't have a dynamic IP this time?

How can you know he has?

his ip adress is static it's been that way for a long time

It's not like you can't change ISPs to get a dynamic IP.

This is all speculation. It has no value to build decisions on.

This is all speculation.Yeah but heck of a darn good speculation.

Alright... Orbiyz claims that ThaSpaz is the crasher. That is very likely too. Anyways, here comes some evidence that should get one person banned:

Log from my server's uptime (about 3 minutes, just estimatedly):
http://www.freewebs.com/grytolle/jazz2stuff/hackernoob.txt

<pre>2629 69.72.144.19:51534 192.168.0.100:10052 81 Recv
0000 01 0E 01 03 01 00 00 00 00 41 53 44 41 4F 53 46 .........ASDAOSF
0010 48 4F 49 53 41 46 48 4F 53 41 48 47 4F 4C 41 53 HOISAFHOSAHGOLAS
0020 47 46 48 42 50 53 41 4F 4E 41 53 4F 49 4A 53 4E GFHBPSAONASOIJSN
0030 47 50 4F 53 41 48 4E 4F 49 41 47 53 4F 49 48 53 GPOSAHNOIAGSOIHS
0040 46 4F 50 53 41 49 46 48 4F 49 50 53 41 46 48 53 FOPSAIFHOIPSAFHS
0050 41 A</pre>

This one sure looks malicious?

2629 69.72.144.19:51534 192.168.0.100:10052 81 Recv
0000 01 0E 01 03 01 00 00 00 00 41 53 44 41 4F 53 46 .........ASDAOSF
0010 48 4F 49 53 41 46 48 4F 53 41 48 47 4F 4C 41 53 HOISAFHOSAHGOLAS
0020 47 46 48 42 50 53 41 4F 4E 41 53 4F 49 4A 53 4E GFHBPSAONASOIJSN
0030 47 50 4F 53 41 48 4E 4F 49 41 47 53 4F 49 48 53 GPOSAHNOIAGSOIHS
0040 46 4F 50 53 41 49 46 48 4F 49 50 53 41 46 48 53 FOPSAIFHOIPSAFHS
0050 41 A

Looks like someone initiated a connection ;O

Not to mention sent spam, probably for flooding. If you follow the log after that, you see that I crash.

Edit: What the (-)? Port 51534? then it sure wasn't sent from a jj2 client?;p Oh, and an admin, please verify that Orbitz didn't lie about his IP.

Not to mention sent spam, probably for flooding. If you follow the log after that, you see that I crash.

Edit: What the (-)? Port 51534? then it sure wasn't sent from a jj2 client?;p Oh, and an admin, please verify that Orbitz didn't lie about his IP.
The source port is generally randomly selected. You'll notice in your log that the other person who joined your server used port 1138. However, it was still obviously not a JJ2 client just from the nature of what was sent.

The address that Orbitz named matches the address from which he posted.

Okay, and he didn't post with a known webproxy or so? ;p

<PRE>2545 69.72.144.19:51534 192.168.0.100:10052 9 Recv
0000 09 0F 01 04 32 31 20 20 01 ....21 .

2629 69.72.144.19:51534 192.168.0.100:10052 81 Recv
0000 01 0E 01 03 01 00 00 00 00 41 53 44 41 4F 53 46 .........ASDAOSF
0010 48 4F 49 53 41 46 48 4F 53 41 48 47 4F 4C 41 53 HOISAFHOSAHGOLAS
0020 47 46 48 42 50 53 41 4F 4E 41 53 4F 49 4A 53 4E GFHBPSAONASOIJSN
0030 47 50 4F 53 41 48 4E 4F 49 41 47 53 4F 49 48 53 GPOSAHNOIAGSOIHS
0040 46 4F 50 53 41 49 46 48 4F 49 50 53 41 46 48 53 FOPSAIFHOIPSAFHS
0050 41 A</PRE>

Those are all packets from that IP, so it was obviously no one in server that crashed me ;o (And the first one resembles those you get from jforce.

69.72.144.19 resolves to a web server registered in Naperville, Illinois.

Registration contact is:


Rags Rajagopalan
+1.6305186387
Fax: +1.9999999999
710 E Ogden Ave
Suite 540
Naperville, S 60563
US

That's definitely the IP which ApprehendJJ2 logged when I got DoS attacked.

69.72.144.19 resolves to a web server registered in Naperville, Illinois.

That IP sounds familiar...

What does DoS stand for? It's not as in MS DOS, right?

What does DoS stand for? It's not as in MS DOS, right?

Denial of Service =)

http://en.wikipedia.org/wiki/Denial_of_service for more stuff

Rags Rajagopalan is apparently the owner of NotionTide, Inc., a wireless evangelism firm. I doubt he's the one responsible.

Should I give him a ring?

You should, if not for jj2's sake, but for his own. :) I'd want to know if someone did bad stuff appearing to be me.

OK, I finally found out what the IP was, which was the host of my website. It appears that someone had been accessing my server list thing on my website through a file I had assumed to be deleted and had been using that script to take down servers. It's been fixed now.

Ugh... that sucks. But it also means it can not be Orbitz who obviously isn't skilled enough for that.

Alright... Orbiyz claims that ThaSpaz is the crasher. That is very likely too. Anyways, here comes some evidence that should get one person banned:

Log from my server's uptime (about 3 minutes, just estimatedly):
http://www.freewebs.com/grytolle/jazz2stuff/hackernoob.txt

<pre>2629 69.72.144.19:51534 192.168.0.100:10052 81 Recv
0000 01 0E 01 03 01 00 00 00 00 41 53 44 41 4F 53 46 .........ASDAOSF
0010 48 4F 49 53 41 46 48 4F 53 41 48 47 4F 4C 41 53 HOISAFHOSAHGOLAS
0020 47 46 48 42 50 53 41 4F 4E 41 53 4F 49 4A 53 4E GFHBPSAONASOIJSN
0030 47 50 4F 53 41 48 4E 4F 49 41 47 53 4F 49 48 53 GPOSAHNOIAGSOIHS
0040 46 4F 50 53 41 49 46 48 4F 49 50 53 41 46 48 53 FOPSAIFHOIPSAFHS
0050 41 A</pre>

This one sure looks malicious?
That is definitely the long name crash packet. Apparently whoever did this seems to be experimenting with long name crashes for the first time (he didn't get the packet length right, but not that it matters anyway). Since people have filters for ASD, the user felt like making his own tool for the job that is not stopped by the WPE ASD filters. The long uppercase name is not random, the user must have written it by hand. This is only the first step in his experiment. Next time he'll come up with a program that randomizes a name each time an attack is performed. Bye bye the idea of WPE long name string matching filters.

OK, I finally found out what the IP was, which was the host of my website. It appears that someone had been accessing my server list thing on my website through a file I had assumed to be deleted and had been using that script to take down servers. It's been fixed now.

Does that explain how they connected to and crashed servers from that address? Was it just a server listing script, or did it actually connect to games and they found some way to exploit it?

If you have access to the site logs, you should be able to find out who it was, or at least their IP address. Also, how did they find it? Did you have links to this script or tell anyone about it?

Overlord, what do you think of:
Detection like this: "0E" to determine it is joining, and then at the first place out of the allowed just make one filter for each possible hexvalue? Then block all such packages. Nvm, I just realized that that is like many combinations -.-

Is there any program that can simply filter out too long packets? WPE is great, but it could really use that function.

Oh, and for private games, it would be a good idea to just block all packets beginning with XX 0E when all players are in server. Maybe it can be added to the "official filter"? It would suck if jj2wc-games were interrupted by frequent crashes like this...

Not to mention sent spam, probably for flooding. If you follow the log after that, you see that I crash.

Edit: What the (-)? Port 51534? then it sure wasn't sent from a jj2 client?;p Oh, and an admin, please verify that Orbitz didn't lie about his IP.





Orbitz: 72.139.36.204

It indeed is Orbitz' real IP. (I caught this ages ago, at the first crash wave.)


ThaSpaz: 83.85.199.209

That is the dutch IP I got from ThaSpaz back af the first crashing wave.
I'm fully sure about those being the right ones.

I am letting you know theese crashes occuring are not me for proof take an eye on my ip : 72.139.36.204
FWIW, that IP address is in the Rogers Cable range. Reverse DNS doesn't really hint as to whether it's a static or dynamic address. Some more digging shows that it may be static, as it's linked to a mac address.

Edit: What the (-)? Port 51534? then it sure wasn't sent from a jj2 client?;p Oh, and an admin, please verify that Orbitz didn't lie about his IP.
You can't tell much about a program from the source port, as it's usually chosen by the operating system (either randomly, or some systems including windows the next free port below ~5000).

If WPE could somehow block packets that match certain length then I would be most happy. However so far I have not managed to make any filters that check packet length and block those that exceed it. And yes, there are too many combinations to make filters for. A very useful function for WPE would be a check whether a byte is NOT the given value rather than check if it is every possible one, like your idea suggests, Gry. WPE is by no means a perfect packet editor. In fact its far from that.

I looked at some more advanced packet scrubbers (I read somewhere that's what shortening packets is called, feel free to correct me), but uh... too advanced, I didn't even get through the install.

ThaSpaz is best friends with Orbitz, so it doesnt suprise me if Thaspaz is involved.

He was the dude given IP's to Orbitz when he was banned.... until I blocked him. That block needs to be readded soon I'm thinking.

Orbitz: 72.139.36.204

It indeed is Orbitz' real IP. (I caught this ages ago, at the first crash wave.)


ThaSpaz: 83.85.199.209

That is the dutch IP I got from ThaSpaz back af the first crashing wave.
I'm fully sure about those being the right ones.
http://img77.imageshack.us/img77/3448/ips7un.png
Tha spaz's IP either isn't static or he changed his isp

looks like the noname is orbitz too

Maybe because he has changed his IP ;]

Dear J2O,

I am letting you know theese crashes occuring are not me for proof take an eye on my ip : 72.139.36.204
So if your gonna blame me prove it cuz its not me.

I could believe that. RAD tried to take over the listservers last night, and named themselves Orbitz, Orbitz1, Orbitz2, Orbitz3, Orbitz4, Orbitz5, Orbitz6, Orbitz7, Orbitz8 and Orbitz9. I asked who they were and they said they were worse then Orbitz, so it's definitely not Orbitz.

Or I may have forgotten to collect the IPs.:rolleyes: Trust me.

I could believe that. RAD tried to take over the listservers last night, and named themselves Orbitz, Orbitz1, Orbitz2, Orbitz3, Orbitz4, Orbitz5, Orbitz6, Orbitz7, Orbitz8 and Orbitz9. I asked who they were and they said they were worse then Orbitz, so it's definitely not Orbitz.

Or I may have forgotten to collect the IPs.:rolleyes: Trust me.


Orbitz can say that too people as well. ;-P

I dunno...
http://img30.imageshack.us/img30/8634/orbitzip9bm.png - Taken from my server wich was run 2 hours ago.

Does that explain how they connected to and crashed servers from that address? Was it just a server listing script, or did it actually connect to games and they found some way to exploit it?

If you have access to the site logs, you should be able to find out who it was, or at least their IP address. Also, how did they find it? Did you have links to this script or tell anyone about it?

A guy called Adam Gashlin (halleyscometsoftware@hotmail.com) is sharing his web space with me. I am not able to get activity logs from the host unless I ask Adam first.

Anyways, hi Link ;)

72.139.36.204 also resolves to Toronto.

Then I guess that's where Orbitz is.

We should have got him at EC2005. Oh wait, I wasn't there. <s>and I'm thankful I wasn't with a bunch of (WA)</s>

Then we could ask if anyone went to it and saw Orbitz and know he lives there.

A guy called Adam Gashlin (halleyscometsoftware@hotmail.com) is sharing his web space with me. I am not able to get activity logs from the host unless I ask Adam first.
What about my other questions? If you know who knew about your script, it could definitely help figure out who was doing this. (You should also ask Adam for activity logs.)

There is an indirect link to it in his sig on jcf...
Btw, unless ThaSpaz is proxying his IP isn't static. I caught him with another IP and the one Veg told me yesterday. I promised not to expose it unless he is the hacker though. <strike>So checkout hidden stuff in this post.</strike>
<div style="visibility: hidden;">62.51.147.123</div>

<b>ThaSpaz is best friends</b> with Orbitz, so it doesnt suprise me if Thaspaz is involved.And apparently, so is AJazz.

Or someone faking Ajazz... He isn't really hard to impersonate. "XDXDXDXD KAKA GRY"

Or someone faking Ajazz...AJazz, Orbitz and ThaSpaz were friends before both of the latter got banned, so I doubt someone was/is impersonating AJazz at the moment.

you all do know im ajam XD ajam is short for jamster well the a is not.
Orbitz is not the one you are looking for its this other guy who dooes not need to join to hack servers.

But if orbitz didnt do it who will?

As much as I dislike AJazz, and I do, he has nothing to do with this.

I asked nimrod: How many people have ASD...He said: too many.


So someone can crash those servers, and then people thinks it's Orbitz, cause he is the old hacker...


I personally think, that Orbitz crashes those, but it's not sure...So I dont take any sides now.

AJazz isnt involved in it.

i think its now time to see clear that nimrod protects the people responsible for the arival of the hack programs i demand that people like overlord and spazzyman get banned from the server list if it wasnt for them this (-) never would have happend

let me be clear i am totally honoust now , orbitz never was in possesion of ASD thats a great lie , he had jazzad when the first crashwave showing how weak jj2,s security was unfortanly i was the one who suplied him jazzad just to use it to wallclimb like that was round 2004 2 years ago and at that time round 2004 i believe orbitz was banned




but still how can we let the j2hg not be banned from jj2 serverlist at least people like spazzyman that used jj2 to test hacking progs on if it wasnt for spazzyman people like dragon sephirot and orbitz never were able to crash

The legend has spoken. Let's ban Overlord!

Overlord has never ever made tools like that public, while he does know how to perform attacks he never made information on how public.

He has also been such a great help with defence tools, I would never EVER authorise a ban of Overlord, he is a great guy and a help to the community. Anyone who says otherwise should be ignored totally in any say in security.

and spazzyman, theres no point me even going there, he doesnt play jj2 anymore nor care about it, so no point anyone trying to get him banned.

Let's ban Overlord anyways!

let me be clear i am totally honoust now , orbitz never was in possesion of ASD thats a great lie , he had jazzad when the first crashwave showing how weak jj2,s security was unfortanly i was the one who suplied him jazzad just to use it to wallclimb like that was round 2004 2 years ago and at that time round 2004 i believe orbitz was banned

... he has ASD why do you think the whole anti asd filter was made?

Hi y'all!

Let's ban Overlord anyways!
Hippocrite

HippocriteNow what.:mad:

Wow, are those discussions about Orbitz still going on after a few months? I know he's one of the most frustrating Jazz players, but I don't know much about his IP stuff.

...
That would be because there is a new crashwave since he was unbanned... (not saying it was him who crashed those servers)

Let's ban Overlord anyways!Do you really think doing that now would make any difference?

Yeah! Another player gone! =P

The legend has spoken. Let's ban Overlord!
*dies from laughter*

Do you really think doing that now would make any difference?Yes of course! You have been crashing everyone all along. And no one suspects you - I hope you feel really bad about yourself.:mad:

I say we should ban FQuist, the traitor who denies us the right to lynch the criminal! Burn the witch!

Yeah, you are right, let's ban FQuist first, then maybe later Overlord.

Yeah, agreed. Down with F.Q.

Btw, I saw DizZy DM hacking, please ban him. He said he was fixing some kind of bug, but I ain't buying that bullcrap.

Let's ban ClifferyB because every once in a while he hosts horrible levels which make my mind explode.

Okay guys, Stay cool! We just need to keep logging, And be persistant. We will catch this idiot before long!

Orbitz, I will beleive you are not a crasher when you give us proof you have deleted all your copies of ASD, Jadvantage and so on.

It's impossible to prove you've deleted files. How would you do that? You would need to scan every file on someone's computer, and even then those files could just have been hidden or put on a floppy. That's not evidence that you can require.

fquist first your avatar makes you look a bit stoned and i am offended by it.
second i think we should ban fquist .

You know, personal attacks aren't too nice, unless the person you are insulting is a total jerk. But I guess it doesn't change that too much...

fquist first your avatar makes you look a bit stoned and i am offended by it.
second i think we should ban fquist .

oops taht sounded mean everybody gerts a new car

that was more a PA then actually just having fun indeed.. =P

oops taht sounded mean everybody gerts a new car
new carrotz:p thanks odin

rts3

new carrotz:p thanks odin

rts3

moar like real time strategy 3 amirite flokz?/

It's impossible to prove you've deleted files. How would you do that? You would need to scan every file on someone's computer, and even then those files could just have been hidden or put on a floppy. That's not evidence that you can require.

If Orbitz is serious about rejoining, then he would provide the proof (Screenshot, for example) Then the ultimate proof is him actually not using them!

My whole computer has crashed twice today. If it is anyone from this community, (Orbitz:P) please stop it. I installed 1.23 and then made my first server in a century. I had time to be happy about being able to host for two minutes and then the server crashed "Acces violation".

He has stopped crashing servers now I guess, mine servers haven't crashed for a long time, but the IP of him is different, could he have changed it somehow?


Or is it just some faker?

Or there is SOMEONE ELSE than Orbitz crashing? ;p